The European Commission’s Guidelines on the Data Governance Act
The European Commission's recent guidelines on the Data Governance Act (DGA) aim to enhance data sharing and spur innovation across the EU. Our Privacy & Data Security team examines the guidelines, highlighting critical insights for businesses and stakeholders navigating this evolving landscape. Readers will gain a comprehensive understanding of the DGA's implications for data intermediaries and altruism organisations, and why staying informed is essential for leveraging new opportunities.
The Digital Governance Act, or DGA, aims to increase voluntary data sharing for the benefit of businesses and citizens by making it easier to share data in a trusted and secure manner.
So far, only 11 organisations have registered as data intermediaries and one organisation has registered as a data altruism organisation.
Ireland has been slow to implement the DGA. The Central Statistics Office has been designated as the competent body responsible for supporting public sector bodies in facilitating the re-use of public data. However, Ireland has yet to designate a competent authority, to which notifications can be made, to work with data intermediaries and data altruism organisations. The Irish Competition and Consumer Protection Commission is intended to be designated as the competent authority.
Highlights for data intermediaries and data altruism organisations
Re-use of data needs a legal basis
The DGA does not establish a right to re-use personal data or create a new legal basis for its re-use under GDPR. Instead, where the local EU law or Member State law permits the re-use of public data, the DGA facilitates this re-use and any sharing must be done in accordance with the DGA.
Data intermediaries
Data intermediation services are services that facilitate the sharing, exchange, or re-use of data between different parties, such as businesses, public sector bodies, or individuals, while ensuring privacy, security, and transparency. Data intermediation service providers act as neutral intermediaries, enabling organisations to share data in a way that complies with legal and ethical standards, including data protection laws like GDPR.
The DGA sets rules for providers of data intermediation services that connect the supply and demand of data. Certain service providers cannot be considered data intermediaries. These include internet of things platforms and services that focus on the intermediation of copyright-protected content. Data intermediation services may be possible on a B2C basis between individuals that seek to make their personal or non-personal data available, and potential data users.
Data intermediaries must notify the competent authority of their intention to provide their services under Article 11 of the DGA. At a data intermediary’s request, the competent authority is required to confirm whether the intermediary complies with the notification requirements and the conditions for providing intermediation services under the DGA.
Data intermediaries must maintain strict neutrality, using acquired data solely to improve their services and must only share it with user-approved parties. To ensure this neutrality and avoid conflicts of interest, entities offering data intermediation services must legally separate this function from any other services they provide. The pricing and terms of data intermediation services must be independent of whether clients use the intermediary's other services.
Data altruism
Data altruism refers to the voluntary sharing of personal or non-personal data by individuals or organisations for the public good, without expecting any direct compensation in return. Under the DGA, data altruism is encouraged to support research, innovation, and public interest projects, such as improving healthcare, environmental protection, and scientific advancements. This concept promotes the use of data for societal benefit while ensuring privacy and transparency.
In order for an entity to qualify as a data altruism organisation, it must:
- Operate on a not-for-profit basis and be legally independent from any entity that operates on a for-profit basis
- The data must be used for an objective of general interest
- Register with the competent authority
- Adhere to transparency requirements laid out in Article 20
- Protect the rights of data subjects and data holders laid out in Article 21
- Comply with the Rulebook, once that is adopted. The Rulebook is currently being developed and will set security requirements as well as communication roadmaps and interoperability standards
International data transfers
While the GDPR has laid out protections in Chapter V for international data transfers, Article 31 of the DGA provides for similar requests where governmental authorities or courts in a third country request non-personal data. These protections cover all the scenarios in the DGA, such as public sector data, intermediation services, and data altruism organisations.
Article 31 requires that parties implement contractual, organisational, and technical measures to ensure governments’ access in third countries is prevented where that would be in conflict with EU or national law.
There are two exceptions to this rule:
- If a third-country decision is based on a mutual legal assistance treaty with the EU or an EU Member State
- If the third-country decision meets specific legal criteria, including proportionality, judicial review, and consideration of EU legal interests
Before complying with a request, the entity granted the right to re-use the data, the data intermediation service, or the data altruism service must notify the data subject—unless doing so would compromise law enforcement purposes.
European Data Innovation Board (EDIB)
The European Commission established the EDIB to promote the sharing of best practices, particularly regarding data intermediation, data altruism, and the use of publicly held data that cannot be shared as open data. It also focuses on prioritizing cross-sectoral interoperability standards. For example, the EDIB has the power to propose guidelines for Common European Data Spaces on the adequate protection for data transfers outside of the Union. Thus far, they have not published any guidelines.
Comment
So far, not many organisations have registered to be data intermediaries or data altruism organisations. However, that may change as further certainty is brought by the European Commission and the EDIB through the guidelines on the DGA that they publish. Organisations should keep up to date on what data is made available by data altruism organisations and data intermediaries so that they can explore using this previously inaccessible data.
For more information, please get in touch with a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Share this: